Dependence on external suppliers is a structural reality of any modern organization. Cloud services, outsourced software development, critical process outsourcing, managed security providers: the digital supply chain is so extensive that, in many cases, the weakest supplier defines the risk level of the entire organization. And yet, supplier auditing remains one of the most underestimated activities in management systems.
What is a second-party audit and why it matters
A second-party audit is one conducted by the client (or an evaluator hired by the client) on their supplier. Unlike third-party audits (performed by a certification body), second-party audits respond to the specific interests of the contracting organization. It does not seek to certify the supplier. It seeks to verify that the supplier meets the requirements the organization needs to manage its own risks.
ISO 19011:2018, the standard that guides management system auditing, applies directly to this type of evaluation. But the audit criteria are defined by the contracting organization, not a generic standard.
How to define which suppliers to audit
You cannot audit all your suppliers with the same depth. The first step is to classify them by criticality. A supplier is critical when it meets at least one of these conditions:
- Accesses sensitive data from your organization.
- Executes a process that, if it fails, stops your operation.
- Has direct access to your systems.
- Acts on your behalf before clients or regulators.
What to evaluate in a second-party audit
A critical supplier audit should cover at minimum five dimensions: governance and policies, access controls and data segregation, incident management, service continuity, and compliance traceability. ISO 27001 clause A.5.19 requires identifying and managing risks associated with the supply chain. Comprehensive risk management starts with knowing who has access to what.
How to document findings effectively
A second-party audit finding must be actionable. Document the audit criterion, the evidence obtained, the finding classification (major nonconformity, minor nonconformity, or observation), and the required action with deadline. ISO 19011 recommends communicating findings during the closing meeting.
Frequency and follow-up
Audit frequency depends on supplier criticality. For high-risk suppliers, an annual comprehensive audit with semi-annual follow-ups is the standard. If your organization needs to structure a supplier audit program, the starting point is defining risk criteria through an ISO 27001 security controls assessment and an ISO 9001 quality system maturity evaluation.